Jump to content


draker

Admin delegation per OU

Recommended Posts

Hello,

 

I am looking for a bit of help with admin delegation in SCCM 2012 r2. I think I've got a good amount of the delegation done but I'm really looking for a how-to or a reference article that could better explain what components should be delegated.

 

 

What I am trying to achieve:

 

We are offering SCCM as a service to other administrators in our forest. Administrators will be granted full access to administrate workstations and servers that reside in there specific OU in Active Directory. This means create collections, import computers, deploy software, OSD, install clients, reporting, inventory.. etc. Basically anything an administrator would need to manage computers and servers.

 

Stuff like site integration and boundary groups etc, will be done by the service sysadmins.

 

 

What I've done so far:

 

I've used RBAviewer to create two new rolls: OU Read Only Admin, OU Admins Specific Scope

 

Imported all computers in each of the OU's to ORG collections (ORG - OU Systems), and assigned admin users and scoped them to the ORG collections.

 

Created security scopes for each OU and associated users to those scopes.

 

 

This all seems to be working well so far, but I know I am missing a few things for example client settings. Another thing I am trying to figure out is how I can scope 'Import Computer Information' so that when someone imports information it will actually go to their OU. Right now, even if I select a specific collection the computer information always ends up in All Systems and/or Devices.

 

 

I know I can't be the first one setting this up. If anyone has a good write-up or a list of permissions that one would typically delegate in this situation that would be great!

 

 

As always, if I left anything out let me know and I can provide more information.

 

Thank you.

Share this post


Link to post
Share on other sites

Also, I'm trying to find info about SMB shares on the site server.

 

What other servers need access to these shares? I am going to firewall them off as needed.

 

I am guessing OU admins may want access to the \\site-server\SMS_101\Logs directory at least and possibly a few more. Any advise here?

 

 

Thanks!

Share this post


Link to post
Share on other sites

Can you please take some picture of your setup with role in sccm.

I think this kan help you with 'Import Computer Information'

http://blogs.technet.com/b/inside_osd/archive/2012/04/30/custom-role-based-administration-for-importing-computers.aspx

kind regard

sg

http://www.learnmesccm.com/

https://www.linkedin.com/pub/safet-grahic/a0/842/b21

Share this post


Link to post
Share on other sites

This is sort of a PITA to accomplish but it is how we are running here with 250+ OUs each needing this.

 

We have done it via security scopes, custom roles, and limiting collections. For example. OU1 needs rights to OU1 PCs and has to be able to deploy Corporate pakcages,make their own, but not modify corporate packages. Also needs to be able to import computers.

 

I can provide more details, but in general.

 

Create a role for 'read' access and assign it to the 'read' scope you will be creating. This gets assigned to the user under the Security Scopes tab > Associate assigned security..... menu.

 

Create a role for 'write' and assign it to the security scope you create for the OU. Assign the OU top most level collection to this.

 

Create a role for import computers. default scope is ok. Assign it to the limiting collection for that OU. The limiting collection should be based off of all systems. We query machines like so. We only import computers for imaging purposes.

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.ResourceId not in (select SMS_R_System.ResourceId from SMS_R_System where SMS_R_System.Client = 1) and SMS_R_System.AgentName like "%Manual%" and SMS_R_System.Name like "%OU GOES HERE%")

 

That says give it to OU if manual build and no sccm client.

 

We also have a role for distributing content to the DP and a scope to go along with that.

 

This can probably be done simpler, but we decided to segregate some of the roles, we feel if anything needs to be changed going forward this may be easier on us.

 

I can provide screen shots and more details if you want.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.